New Investigatory Powers Bill: Industry reaction and analysis

With Theresa May's recent announcement of the details of the new Investigatory Powers Bill, various industry professionals have offered their thoughts and analysis.

Jonathan Parker-Bray, CEO of Criptyque, Makers of Pryvate:

"The Investigatory Powers Bill does not take into account individual's fundamental right to privacy. Where matters of national security are concerned, we are fully behind any government proposal to protect its citizens. However, this ought not to extend to such a level where law abiding citizens no longer have the right to their own privacy.

"We believe that everyone has the right to choose whether or not to keep their communications private and protect themselves from cybercrime and surveillance, and use whatever encryption tools are at their disposal to achieve such ends. This bill would see those liberties potentially turned on their head, and everyone’s personal online lives – though conducted in the privacy of their own home – available for official scrutiny, without a clear rationale or justification.

"Everything from family photos, medical records, confidential business transactions, and legal communications can be exposed at a whim. Whilst we would agree strongly that there does need to be an updating and an expansion of legislation to account for the digital age, this should not override the hard-fought right to privacy that is owned by every citizen in the UK. Threat actors will always find nefarious ways of using good intentioned technology for their own means, and this law is a potential license for the invasion of the right to privacy on a scale this country cannot allow."

Yuval Ben-Moshe, senior forensics technical director at Cellebrite:

“There’s been much debate over Home Secretary Theresa May’s Investigatory Powers Bill. The legitimate concerns over the general public’s privacy point to the importance of taking measures, with technology, to promote safeguards and ensure compliance while also proceeding forward to deal efficiently with emerging threats.

“Digital forensic analysis, especially on mobile devices and Cloud stored data, now plays such a key part in criminal investigations as all of us now have a digital footprint reflecting our character, whereabouts and future plans.

“In specific cases that warrant action, if intelligence agencies are granted access to an individual or group’s mobile and online activity, the data should be handled sensitively and by fully trained and qualified professionals. It’s important for agencies to have the correct technology in place to ensure forensic investigations are as full, accurate and focused as possible on extracting and analysing only the data relevant to bring those responsible for criminal activity to justice, as well as proving innocence.”

Antony Walker, deputy CEO of techUK:

“This draft bill requires very careful scrutiny. On first impressions it looks like a step in the right direction to creating what is required here - a world leading legal framework that balances the security needs with democratic values. Parliament must now judge whether the powers government is seeking such as internet connection records, equipment interference and bulk collection are necessary and proportionate and whether the safeguards being proposed to govern their use are sufficient. The importance of the task ahead of the Joint Parliamentary Scrutiny Committee cannot be overstated.

“The Government has been at pains to stress that it is not seeking a ban on end-to-end encryption and that Communications Services Providers will be required to take reasonable steps to made data available under warrant. This looks like a good outcome for ensuring the cyber security of individuals, businesses and the UK as a whole. However, much will depend on the interpretation of what is reasonable.

“If the IP Bill is to deliver in practice, government needs to ensure that Communications Services Providers are not subject to conflicts of law. As recommended by the Sheinwald Report, UK government needs to work with the US and other countries to develop a new international framework for cooperation between jurisdictions to avoid creating uncertainty for companies and services that operate cross border.”

Bharat Mistry, Cybersecurity Consultant, Trend Micro:

“Unfortunately this legislation unlocks more questions than answers. If a Communications Service Provider (CSP) is required to capture this data and store it, there is a question around who is going to fund the infrastructure costs? This isn’t just about the physical infrastructure assets but environmental such as power, cooling and physical security costs also have to be considered. CSPs are already saying that data storage repositories are growing at an unmanageable rate – so how can this quantity of data be managed and securely transferred and stored? Will the data be in one central repository or multiple and what about back up and storage? Another challenge will be keeping audit trails of who, what, when and where in relation to the data. Moreover, how and when will the data be purged?

"Keeping more data than is necessary is only really going to add to increasing the risk of a data breach. Capturing and storing this additional data is only going to increase the management and operational challenges of protecting it. Ultimately, CSPs will be forced to re-visit their data protection strategy and consider a tiered ‘one size fits all’ model that will be cost prohibitive and increases risk. In the last week both TalkTalk and Vodafone have been hit and it both cases personal data was exposed.

"So consider a CSP potentially capturing data about surfing habits everyone – this will undoubtedly draw the attention of advanced threat actors such as nation states and hacktivists with strong political agendas – ISIS for example”.